CVE-2026-26308: Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation
## 1. Summary The Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. ## 2. Attack Scenario Consider an environment where an administrator wants to block external access to internal resources using a specific header flag. ### Configuration The Envoy proxy is configured with a **Deny** rule to reject requests containing the header `internal: true`. * **Rule Type:** Exact Match * **Target:** `internal` header must not equal `true`. ### The Bypass Logic 1. **Standard Request (Blocked):** * **Input:** `internal: true` * **Envoy Processing:** Sees string `"true"`. * **Result:** Match found. **Request Denied.** 2. **Exploit Request (Bypassed):** * **Input:** ```http internal: true internal: true ``` * **Envoy Processing:** Concatenates values into `"true,true"`. * **Matcher Evaluation:** Does `"true,true"` equal `"true"`? **No.** * **Result:** The Deny rule fails to trigger. **Request Allowed.** ## 3. Implications * **RBAC Bypass:** Remote attackers can bypass configured access controls. * **Unauthorized Access:** Sensitive internal resources or administrative endpoints protected by header-based Deny rules become accessible. * **Risk:** High, particularly for deployments relying on "Exact Match" strategies for security blocking. ## 4. Reproduction Steps To verify this vulnerability: 1. **Deploy Envoy:** Configure an instance with an RBAC **Deny** rule that performs an **exact match** on a specific header (e.g., `internal: true`). 2. **Baseline Test:** Send a request containing the header `internal: true`. * *Observation:* Envoy blocks this request (HTTP 403). 3. **Exploit Test:** Send a second request containing the same header twice: ```http GET /restricted-resource HTTP/1.1 Host: example.com internal: true internal: true ``` * *Observation:* Envoy allows the request, granting access to the resource. ## 6. Recommendations **Fix Header Validation Logic:** Modify the RBAC filter to validate each header value instance individually. Avoid relying on the concatenated string output of `getAllOfHeaderAsString()` for security-critical matching unless the matcher is explicitly designed to parse comma-separated lists. ** Examine the DENY role to use a Regex style fix. **Credit:** Dor Konis
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2026-26308?
CVE-2026-26308 has been classified with moderate severity due to its potential impact on Role-Based Access Control.
How do I fix CVE-2026-26308?
To fix CVE-2026-26308, upgrade to Envoy versions 1.34.13 or later, or 1.35.8 or later, depending on your current version.
Who is affected by CVE-2026-26308?
CVE-2026-26308 affects users of Envoy versions up to 1.34.12, and versions between 1.35.0 and 1.35.8, 1.36.0 and 1.36.4, and the specific version 1.37.0.
What type of vulnerability is CVE-2026-26308?
CVE-2026-26308 is a logic vulnerability related to RBAC Header Validation Bypass due to multi-value header concatenation.
Can CVE-2026-26308 lead to unauthorized access?
Yes, CVE-2026-26308 can potentially allow unauthorized users to bypass access controls by manipulating HTTP headers.